Splunk Enterprise documentation clearly states that the best method to secure log traffic between Universal Forwarders (UFs) and Indexers is to implement Transport Layer Security (TLS) using signed SSL certificates. When Universal Forwarders send data to Indexers, this communication can be encrypted using SSL/TLS to prevent eavesdropping, data tampering, or interception while in transit.
Splunk provides default self-signed certificates out of the box, but these are only for testing or lab environments and should not be used in production. Production-grade security requires custom, signed SSL certificates — either from an internal Certificate Authority (CA) or a trusted public CA. These certificates validate both the sender (forwarder) and receiver (indexer), ensuring data integrity and authenticity.
In practice, this involves:
Generating or obtaining CA-signed certificates.
Configuring the forwarder’s outputs.conf to use SSL encryption (sslCertPath, sslPassword, and sslRootCAPath).
Configuring the indexer’s inputs.conf and server.conf to require and validate client certificates.
This configuration ensures end-to-end encryption for all log data transmitted from forwarders to indexers.
Routing traffic through a WAF (Option C) does not provide end-to-end encryption for Splunk’s internal communication, and securing search head–to–indexer communication (Option D) is unrelated to forwarder data flow.
References (Splunk Enterprise Documentation):
• Securing Splunk Enterprise: Encrypting Data in Transit Using SSL/TLS
• Configure Forwarder-to-Indexer Encryption
• Server and Forwarder Authentication with Signed Certificates
• Best Practices for Forwarder Management and Security Configuration
Submit